There’s a serious bug in the current implementation of SAML authentication which allows an unauthenticated attacker to log into any existing user account without a password. The details have been reported to the vendor.
The quick fix below has been tested with SuiteCRM-7.8.18 LTS but may also work with newer SuiteCRM versions.
To apply the patch on a Linux system run the following command in the SuiteCRM root:
# patch -p0 <SuiteCRM-7.8.18-SAML-auth.patch